multipaz-openid4vci-server/org.multipaz.openid4vci.util

Package-level declarations

Types

data class IssuanceState(val clientId: String, val scope: String, val clientAttestationKey: EcPublicKey?, var dpopKey: EcPublicKey?, var redirectUri: String?, var codeChallenge: ByteString?, var clientState: String? = null, var dpopNonce: ByteString? = null, var openid4VpVerifierModel: Openid4VpVerifierModel? = null, var systemOfRecordAuthCode: String? = null, var systemOfRecordCodeVerifier: ByteString? = null, var systemOfRecordAccess: SystemOfRecordAccess? = null)

JwtCheck

enum JwtCheck : Enum<JwtCheck>

OpaqueIdType

enum OpaqueIdType : Enum<OpaqueIdType>

Types of opaque session ids for client-server communication.

SystemOfRecordAccess

data class SystemOfRecordAccess(val accessToken: String, val accessTokenExpiration: Instant, val refreshToken: String?)

Authentication information to access System of Record.

Properties

AUTHZ_REQ

val AUTHZ_REQ: ContentType

OAUTH_REQUEST_URI_PREFIX

const val OAUTH_REQUEST_URI_PREFIX: String

OPENID4VP_REQUEST_URI_PREFIX

const val OPENID4VP_REQUEST_URI_PREFIX: String

Functions

authorizeWithDpop

suspend fun authorizeWithDpop(request: ApplicationRequest, publicKey: EcPublicKey, clientId: String, dpopNonce: ByteString?, accessToken: String? = null)

DPoP Authorization validation.

codeToId

suspend fun codeToId(type: OpaqueIdType, code: String): String

Decodes opaque session id ("code") into server-side id, validating code purpose (type) and expiration time.

createSession

suspend fun createSession(request: ApplicationRequest, parameters: Parameters): String

Creates issuance session based on the given HTTP request and returns a unique id for it.

extractAccessToken

fun extractAccessToken(request: ApplicationRequest): String

Extract access token for a DPoP-protected requests.

getReaderIdentity

suspend fun getReaderIdentity(): Openid4VpVerifierModel.ReaderIdentity

getSystemOfRecordUrl

suspend fun BackendEnvironment.Companion.getSystemOfRecordUrl(): String?

idToCode

suspend fun idToCode(type: OpaqueIdType, id: String, expiresIn: Duration): String

Creates an opaque session id ("code") that can be safely given to the client. On the server the session is just identified by its id, which stays the same. When referencing the session from the client, we do not want the client to be able to play any games, thus the actual server-side id and a small amount of metadata is encrypted using server secret key.

processInitialDPoP

fun processInitialDPoP(request: ApplicationRequest): EcPublicKey?

Process the initial DPoP header (that establishes the key for the rest of the session).

validateClientAssertion

suspend fun validateClientAssertion(parameters: Parameters, clientId: String): Boolean

Validates Oauth client assertion.

validateClientAttestation

suspend fun validateClientAttestation(request: ApplicationRequest, clientId: String): EcPublicKey?

Ensures Oauth client attestation attached to the given HTTP request is valid.

validateClientAttestationPoP

suspend fun validateClientAttestationPoP(request: ApplicationRequest, clientId: String, attestationKey: EcPublicKey)

Ensures Oauth client attestation proof-of-possession attached to the given HTTP request is valid.

validateJwt

suspend fun validateJwt(jwt: String, jwtName: String, publicKey: EcPublicKey?, algorithm: Algorithm? = publicKey?.curve?.defaultSigningAlgorithmFullySpecified, checks: Map<JwtCheck, String> = mapOf(), maxValidity: Duration = 10.hours, clock: Clock = Clock.System): JsonObject

General-purpose JWT jwt validation using a set of built-in required checks (expiration and signature validity) and a set of optional checks specified in checks parameter.